There are 3 ways to whitelist an IP address in ConfigServer Security & Firewall (csf). Whitelisting an IP address will allow the IP address to access all ports on the server including any closed ports. For example, you can block SSH port 22 on the server. Then add your IP address to the whitelist, now […]
Firewalld list all open ports Firewalld list rules firewall-cmd See firewall […]
To list all open ports in firealld, run
|
1 |
firewall-cmd --list-ports |
Example See firewalld […]
To list rules use command
|
1 |
firewall-cmd --list-all --zone=public |
To list all open ports
|
1 |
firewall-cmd --list-ports |
Example
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
[root@centos7 zones]# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.1.1.2/32" port protocol="tcp" port="1-65535" accept' success [root@centos7 zones]# firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: dhcpv6-client ssh ports: 25/tcp 9090/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="10.1.1.2/32" port port="1-65535" protocol="tcp" accept [root@centos7 zones]# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="10.1.1.2/32" port protocol="tcp" port="1-65535" accept' success [root@centos7 zones]# firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: dhcpv6-client ssh ports: 25/tcp 9090/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@centos7 zones]# |
See firewall-cmd […]
For non cpanel server, install perl modules
|
1 |
yum install -y perl perl-libwww-perl perl-Time-HiRes unzip bind-utils |
On Ubuntu
|
1 |
apt-get install libwww-perl |
Once we have requirments installed, install csf with
|
1 2 3 4 5 |
cd /usr/local/src wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh |
|
1 |
sed -i "s/RESTRICT_SYSLOG = \"0\"/RESTRICT_SYSLOG = \"1\"/g" /etc/csf/csf.conf |
See csf […]
CSF firewall can block all traffic from a country or list of counrty using GeoIP database. To block a country, edit file
|
1 |
/etc/csf/csf.conf |
Find
|
1 |
CC_DENY="" |
Replace with
|
1 |
CC_DENY="2_LETTER_COUNTRY_CODE" |
Here is an example to block all traffic from China
|
1 |
CC_DENY="CN" |
If you want to block another counrt, you can add it like
|
1 |
CC_DENY="CN,RU" |
Now restart csf […]
To disable IP block alert in CSF firewall, run
|
1 |
sed -i "s/LF_PERMBLOCK_ALERT\s*=.*$/LF_PERMBLOCK_ALERT = \"0\"/g" /etc/csf/csf.conf |
Restart lfd and csf
|
1 2 |
systemctl restart lfd csf -r |
See csf firewall […]
To block all traffic from a country in CSF Firewall edit file /etc/csf/csf.conf
|
1 |
vi /etc/csf/csf.conf |
Find the line
|
1 |
CC_DENY = "" |
In this line, you can add 2 Letter country code. For example to block China and Russia, add
|
1 |
CC_DENY = "CN,RU" |
Now you need to restart firewall with command
|
1 2 |
systemctl restart lfd csf -r |
[…]
firewalld ufw iptables Install bitninja firewall https://opnsense.org […]
To unban an IP from CSF firewall, run
|
1 |
csf -dr IP_ADDR |
Here i have an IP blocked in firewall.
|
1 2 3 4 |
[root@server22 ~]# iptables -L -n | grep 13.224.29.193 DROP all -- 13.224.29.193 0.0.0.0/0 LOGDROPOUT all -- 0.0.0.0/0 13.224.29.193 [root@server22 ~]# |
To see if CSF is blocking the IP, run
|
1 |
csf -g IP_ADDR |
Example This command also give reason for why the IP is blocked. Lets unban the IP address with command
|
1 |
csf -dr IP_ADDR |
Now IP should not be listed in […]